Description
In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Published: 2026-06-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the function tap_get_user_xdp() allocates a page fragment for every incoming XDP packet. When a packet is shorter than an Ethernet header or when the socket buffer allocation fails, the function jumps to an error label but does not release the allocated page, creating a memory leak. Each rejected frame leaks one page‑frag chunk, which can accumulate and exhaust kernel memory if many invalid frames are processed. This flaw reflects the CWE‑772 “Missing Release of Resource After Effective Consumption” weakness and can lead to kernel instability or a reboot.

Affected Systems

All Linux kernel builds before the commit that introduced the fix are vulnerable. Systems that enable TAP interfaces with XDP support, such as virtual machines, containers, or host‑based services using TAP devices, are affected. The vulnerability is present in any kernel revision that has not incorporated the relevant patch.

Risk and Exploitability

An attacker who can send malformed network frames to a TAP device can repeatedly trigger the error paths, each time leaking a page fragment. The attack vector is likely through malicious traffic on a network connected to a TAP interface; this inference comes from the description of frame validation failures. Privilege requirements are not explicitly stated, so it is inferred that local or remote network access to the TAP endpoint is sufficient. The EPSS score is not available, and the flaw is not listed in CISA KEV, but repeated exploitation can deplete kernel memory, raising the risk to moderate or higher for exposed TAP endpoints.

Generated by OpenCVE AI on June 10, 2026 at 04:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that frees the page on both error paths in tap_get_user_xdp() (commit 18a84c35842e19cd3c5534d8cee73d31863f696d or newer).
  • Upgrade affected Linux systems to a kernel version that includes the fixed commit and verify the running kernel with `uname -a`.
  • If a kernel upgrade cannot be performed immediately, mitigate exposure by disabling TAP interfaces on untrusted networks or removing XDP support for TAP until the fix is applied.

Generated by OpenCVE AI on June 10, 2026 at 04:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 09 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().
Title tap: free page on error paths in tap_get_user_xdp()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-09T12:11:12.882Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46320

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T13:16:37.373

Modified: 2026-06-09T13:16:37.373

Link: CVE-2026-46320

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-46320 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T04:30:06Z

Weaknesses